<!DOCTYPE html>
<html lang="en-us">
  <head>

    <meta http-equiv="content-type" content="text/html; charset=utf-8">
    
<meta charset="UTF-8">
<title>Built-in users | Elasticsearch Guide [7.7] | Elastic</title>
<link rel="home" href="index.html" title="Elasticsearch Guide [7.7]">
<link rel="up" href="setting-up-authentication.html" title="User authentication">
<link rel="prev" href="setting-up-authentication.html" title="User authentication">
<link rel="next" href="internal-users.html" title="Internal users">
<meta name="DC.type" content="Learn/Docs/Elasticsearch/Reference/7.7">
<meta name="DC.subject" content="Elasticsearch">
<meta name="DC.identifier" content="7.7">
<meta name="robots" content="noindex,nofollow">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <script src="https://cdn.optimizely.com/js/18132920325.js"></script>
    <link rel="apple-touch-icon" sizes="57x57" href="/apple-icon-57x57.png">
    <link rel="apple-touch-icon" sizes="60x60" href="/apple-icon-60x60.png">
    <link rel="apple-touch-icon" sizes="72x72" href="/apple-icon-72x72.png">
    <link rel="apple-touch-icon" sizes="76x76" href="/apple-icon-76x76.png">
    <link rel="apple-touch-icon" sizes="114x114" href="/apple-icon-114x114.png">
    <link rel="apple-touch-icon" sizes="120x120" href="/apple-icon-120x120.png">
    <link rel="apple-touch-icon" sizes="144x144" href="/apple-icon-144x144.png">
    <link rel="apple-touch-icon" sizes="152x152" href="/apple-icon-152x152.png">
    <link rel="apple-touch-icon" sizes="180x180" href="/apple-icon-180x180.png">
    <link rel="icon" type="image/png" href="/favicon-32x32.png" sizes="32x32">
    <link rel="icon" type="image/png" href="/android-chrome-192x192.png" sizes="192x192">
    <link rel="icon" type="image/png" href="/favicon-96x96.png" sizes="96x96">
    <link rel="icon" type="image/png" href="/favicon-16x16.png" sizes="16x16">
    <link rel="manifest" href="/manifest.json">
    <meta name="apple-mobile-web-app-title" content="Elastic">
    <meta name="application-name" content="Elastic">
    <meta name="msapplication-TileColor" content="#ffffff">
    <meta name="msapplication-TileImage" content="/mstile-144x144.png">
    <meta name="theme-color" content="#ffffff">
    <meta name="naver-site-verification" content="936882c1853b701b3cef3721758d80535413dbfd">
    <meta name="yandex-verification" content="d8a47e95d0972434">
    <meta name="localized" content="true">
    <meta name="st:robots" content="follow,index">
    <meta property="og:image" content="https://www.elastic.co/static/images/elastic-logo-200.png">
    <link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">
    <link rel="icon" href="/favicon.ico" type="image/x-icon">
    <link rel="apple-touch-icon-precomposed" sizes="64x64" href="/favicon_64x64_16bit.png">
    <link rel="apple-touch-icon-precomposed" sizes="32x32" href="/favicon_32x32.png">
    <link rel="apple-touch-icon-precomposed" sizes="16x16" href="/favicon_16x16.png">
    <!-- Give IE8 a fighting chance -->
    <!--[if lt IE 9]>
    <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
    <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
    <![endif]-->
    <link rel="stylesheet" type="text/css" href="/guide/static/styles.css">
  </head>

  <!--© 2015-2021 Elasticsearch B.V. Copying, publishing and/or distributing without written permission is strictly prohibited.-->

  <body>
    <!-- Google Tag Manager -->
    <script>dataLayer = [];</script><noscript><iframe src="//www.googletagmanager.com/ns.html?id=GTM-58RLH5" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
    <script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= '//www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-58RLH5');</script>
    <!-- End Google Tag Manager -->

    <!-- Global site tag (gtag.js) - Google Analytics -->
    <script async src="https://www.googletagmanager.com/gtag/js?id=UA-12395217-16"></script>
    <script>
      window.dataLayer = window.dataLayer || [];
      function gtag(){dataLayer.push(arguments);}
      gtag('js', new Date());
      gtag('config', 'UA-12395217-16');
    </script>

    <!--BEGIN QUALTRICS WEBSITE FEEDBACK SNIPPET-->
    <script type="text/javascript">
      (function(){var g=function(e,h,f,g){
      this.get=function(a){for(var a=a+"=",c=document.cookie.split(";"),b=0,e=c.length;b<e;b++){for(var d=c[b];" "==d.charAt(0);)d=d.substring(1,d.length);if(0==d.indexOf(a))return d.substring(a.length,d.length)}return null};
      this.set=function(a,c){var b="",b=new Date;b.setTime(b.getTime()+6048E5);b="; expires="+b.toGMTString();document.cookie=a+"="+c+b+"; path=/; "};
      this.check=function(){var a=this.get(f);if(a)a=a.split(":");else if(100!=e)"v"==h&&(e=Math.random()>=e/100?0:100),a=[h,e,0],this.set(f,a.join(":"));else return!0;var c=a[1];if(100==c)return!0;switch(a[0]){case "v":return!1;case "r":return c=a[2]%Math.floor(100/c),a[2]++,this.set(f,a.join(":")),!c}return!0};
      this.go=function(){if(this.check()){var a=document.createElement("script");a.type="text/javascript";a.src=g;document.body&&document.body.appendChild(a)}};
      this.start=function(){var a=this;window.addEventListener?window.addEventListener("load",function(){a.go()},!1):window.attachEvent&&window.attachEvent("onload",function(){a.go()})}};
      try{(new g(100,"r","QSI_S_ZN_emkP0oSe9Qrn7kF","https://znemkp0ose9qrn7kf-elastic.siteintercept.qualtrics.com/WRSiteInterceptEngine/?Q_ZID=ZN_emkP0oSe9Qrn7kF")).start()}catch(i){}})();
    </script><div id="ZN_emkP0oSe9Qrn7kF"><!--DO NOT REMOVE-CONTENTS PLACED HERE--></div>
    <!--END WEBSITE FEEDBACK SNIPPET-->

    <div id="elastic-nav" style="display:none;"></div>
    <script src="https://www.elastic.co/elastic-nav.js"></script>

    <!-- Subnav -->
    <div>
      <div>
        <div class="tertiary-nav d-none d-md-block">
          <div class="container">
            <div class="p-t-b-15 d-flex justify-content-between nav-container">
              <div class="breadcrum-wrapper"><span><a href="/guide/" style="font-size: 14px; font-weight: 600; color: #000;">Docs</a></span></div>
            </div>
          </div>
        </div>
      </div>
    </div>

    <div class="main-container">
      <section id="content">
        <div class="content-wrapper">

          <section id="guide" lang="en">
            <div class="container">
              <div class="row">
                <div class="col-xs-12 col-sm-8 col-md-8 guide-section">
                  <!-- start body -->
                  <div class="page_header">
<strong>IMPORTANT</strong>: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
<a href="../current/index.html">current release documentation</a>.
</div>
<div id="content">
<div class="breadcrumbs">
<span class="breadcrumb-link"><a href="index.html">Elasticsearch Guide [7.7]</a></span>
»
<span class="breadcrumb-link"><a href="secure-cluster.html">Secure a cluster</a></span>
»
<span class="breadcrumb-link"><a href="setting-up-authentication.html">User authentication</a></span>
»
<span class="breadcrumb-node">Built-in users</span>
</div>
<div class="navheader">
<span class="prev">
<a href="setting-up-authentication.html">« User authentication</a>
</span>
<span class="next">
<a href="internal-users.html">Internal users »</a>
</span>
</div>
<div class="section xpack">
<div class="titlepage"><div><div>
<h2 class="title">
<a id="built-in-users"></a>Built-in users<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/authentication/built-in-users.asciidoc">edit</a><a class="xpack_tag" href="/subscriptions"></a>
</h2>
</div></div></div>
<p>The Elastic Stack security features provide built-in user credentials to help you get
up and running. These users have a fixed set of privileges and cannot be
authenticated until their passwords have been set. The <code class="literal">elastic</code> user can be
used to <a class="xref" href="built-in-users.html#set-built-in-user-passwords" title="Setting built-in user passwords">set all of the built-in user passwords</a>.</p>
<div class="variablelist">
<dl class="variablelist">
<dt>
<span class="term">
<code class="literal">elastic</code>
</span>
</dt>
<dd>
A built-in <a class="xref" href="built-in-roles.html" title="Built-in roles">superuser</a>.
</dd>
<dt>
<span class="term">
<code class="literal">kibana</code>
</span>
</dt>
<dd>
The user Kibana uses to connect and communicate with Elasticsearch.
</dd>
<dt>
<span class="term">
<code class="literal">logstash_system</code>
</span>
</dt>
<dd>
The user Logstash uses when storing monitoring information in Elasticsearch.
</dd>
<dt>
<span class="term">
<code class="literal">beats_system</code>
</span>
</dt>
<dd>
The user the Beats use when storing monitoring information in Elasticsearch.
</dd>
<dt>
<span class="term">
<code class="literal">apm_system</code>
</span>
</dt>
<dd>
The user the APM server uses when storing monitoring information in Elasticsearch.
</dd>
<dt>
<span class="term">
<code class="literal">remote_monitoring_user</code>
</span>
</dt>
<dd>
The user Metricbeat uses when collecting and
storing monitoring information in Elasticsearch. It has the <code class="literal">remote_monitoring_agent</code> and
<code class="literal">remote_monitoring_collector</code> built-in roles.
</dd>
</dl>
</div>
<div class="tip admon">
<div class="icon"></div>
<div class="admon_content">
<p>The built-in users serve specific purposes and are not intended for general
use. In particular, do not use the <code class="literal">elastic</code> superuser unless full access to
the cluster is required. Instead, create users that have the minimum necessary
roles or privileges for their activities.</p>
</div>
</div>
<h4>
<a id="built-in-user-explanation"></a>How the built-in users work<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/authentication/built-in-users.asciidoc">edit</a>
</h4>
<p>These built-in users are stored in a special <code class="literal">.security</code> index, which is managed
by Elasticsearch. If a built-in user is disabled or its password
changes, the change is automatically reflected on each node in the cluster. If
your <code class="literal">.security</code> index is deleted or restored from a snapshot, however, any
changes you have applied are lost.</p>
<p>Although they share the same API, the built-in users are separate and distinct
from users managed by the <a class="xref" href="native-realm.html" title="Native user authentication">native realm</a>. Disabling the native
realm will not have any effect on the built-in users. The built-in users can
be disabled individually, using the
<a href="/guide/en/elasticsearch/reference/7.7/security-api-disable-user.html" class="ulink" target="_top">disable users API</a>.</p>
<h4>
<a id="bootstrap-elastic-passwords"></a>The Elastic bootstrap password<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/authentication/built-in-users.asciidoc">edit</a>
</h4>
<p>When you install Elasticsearch, if the <code class="literal">elastic</code> user does not already have a password,
it uses a default bootstrap password. The bootstrap password is a transient
password that enables you to run the tools that set all the built-in user passwords.</p>
<p>By default, the bootstrap password is derived from a randomized <code class="literal">keystore.seed</code>
setting, which is added to the keystore during installation. You do not need
to know or change this bootstrap password. If you have defined a
<code class="literal">bootstrap.password</code> setting in the keystore, however, that value is used instead.
For more information about interacting with the keystore, see
<a href="/guide/en/elasticsearch/reference/7.7/secure-settings.html" class="ulink" target="_top">Secure Settings</a>.</p>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<p>After you <a class="xref" href="built-in-users.html#set-built-in-user-passwords" title="Setting built-in user passwords">set passwords for the built-in users</a>,
in particular for the <code class="literal">elastic</code> user, there is no further use for the bootstrap
password.</p>
</div>
</div>
<h4>
<a id="set-built-in-user-passwords"></a>Setting built-in user passwords<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/authentication/built-in-users.asciidoc">edit</a>
</h4>
<p>You must set the passwords for all built-in users.</p>
<p>The <code class="literal">elasticsearch-setup-passwords</code> tool is the simplest method to set the
built-in users' passwords for the first time. It uses the <code class="literal">elastic</code> user’s
bootstrap password to run user management API requests. For example, you can run
the command in an "interactive" mode, which prompts you to enter new passwords
for the <code class="literal">elastic</code>, <code class="literal">kibana</code>, <code class="literal">logstash_system</code>, <code class="literal">beats_system</code>, <code class="literal">apm_system</code>,
and <code class="literal">remote_monitoring_user</code> users:</p>
<div class="pre_wrapper lang-shell">
<pre class="programlisting prettyprint lang-shell">bin/elasticsearch-setup-passwords interactive</pre>
</div>
<p>For more information about the command options, see
<a href="/guide/en/elasticsearch/reference/7.7/setup-passwords.html" class="ulink" target="_top">elasticsearch-setup-passwords</a>.</p>
<div class="important admon">
<div class="icon"></div>
<div class="admon_content">
<p>After you set a password for the <code class="literal">elastic</code> user, the bootstrap
password is no longer valid; you cannot run the <code class="literal">elasticsearch-setup-passwords</code>
command a second time.</p>
</div>
</div>
<p>Alternatively, you can set the initial passwords for the built-in users by using
the <span class="strong strong"><strong>Management &gt; Users</strong></span> page in Kibana or the
<a href="/guide/en/elasticsearch/reference/7.7/security-api-change-password.html" class="ulink" target="_top">Change Password API</a>. These methods are
more complex. You must supply the <code class="literal">elastic</code> user and its bootstrap password to
log into Kibana or run the API. This requirement means that you cannot use the
default bootstrap password that is derived from the <code class="literal">keystore.seed</code> setting.
Instead, you must explicitly set a <code class="literal">bootstrap.password</code> setting in the keystore
before you start Elasticsearch. For example, the following command prompts you to enter a
new bootstrap password:</p>
<div class="pre_wrapper lang-shell">
<pre class="programlisting prettyprint lang-shell">bin/elasticsearch-keystore add "bootstrap.password"</pre>
</div>
<p>You can then start Elasticsearch and Kibana and use the <code class="literal">elastic</code> user and bootstrap
password to log into Kibana and change the passwords. Alternatively, you can
submit Change Password API requests for each built-in user. These methods are
better suited for changing your passwords after the initial setup is complete,
since at that point the bootstrap password is no longer required.</p>
<h4>
<a id="add-built-in-user-kibana"></a>Adding built-in user passwords to Kibana<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/authentication/built-in-users.asciidoc">edit</a>
</h4>
<p>After the <code class="literal">kibana</code> user password is set, you need to update the Kibana server
with the new password by setting <code class="literal">elasticsearch.password</code> in the <code class="literal">kibana.yml</code>
configuration file:</p>
<div class="pre_wrapper lang-yaml">
<pre class="programlisting prettyprint lang-yaml">elasticsearch.password: kibanapassword</pre>
</div>
<p>See <a href="/guide/en/kibana/7.7/using-kibana-with-security.html" class="ulink" target="_top">Configuring security in Kibana</a>.</p>
<h4>
<a id="add-built-in-user-logstash"></a>Adding built-in user passwords to Logstash<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/authentication/built-in-users.asciidoc">edit</a>
</h4>
<p>The <code class="literal">logstash_system</code> user is used internally within Logstash when
monitoring is enabled for Logstash.</p>
<p>To enable this feature in Logstash, you need to update the Logstash
configuration with the new password by setting <code class="literal">xpack.monitoring.elasticsearch.password</code> in
the <code class="literal">logstash.yml</code> configuration file:</p>
<div class="pre_wrapper lang-yaml">
<pre class="programlisting prettyprint lang-yaml">xpack.monitoring.elasticsearch.password: logstashpassword</pre>
</div>
<p>If you have upgraded from an older version of Elasticsearch, the <code class="literal">logstash_system</code> user
may have defaulted to <em>disabled</em> for security reasons. Once the password has
been changed, you can enable the user via the following API call:</p>
<div class="pre_wrapper lang-console">
<pre class="programlisting prettyprint lang-console">PUT _security/user/logstash_system/_enable</pre>
</div>
<div class="console_widget" data-snippet="snippets/1218.console"></div>
<p>See <a href="/guide/en/logstash/7.7/ls-security.html#ls-monitoring-user" class="ulink" target="_top">Configuring credentials for Logstash monitoring</a>.</p>
<h4>
<a id="add-built-in-user-beats"></a>Adding built-in user passwords to Beats<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/authentication/built-in-users.asciidoc">edit</a>
</h4>
<p>The <code class="literal">beats_system</code> user is used internally within Beats when monitoring is
enabled for Beats.</p>
<p>To enable this feature in Beats, you need to update the configuration for each
of your beats to reference the correct username and password. For example:</p>
<div class="pre_wrapper lang-yaml">
<pre class="programlisting prettyprint lang-yaml">xpack.monitoring.elasticsearch.username: beats_system
xpack.monitoring.elasticsearch.password: beatspassword</pre>
</div>
<p>For example, see <a href="/guide/en/beats/metricbeat/7.7/monitoring.html" class="ulink" target="_top">Monitoring Metricbeat</a>.</p>
<p>The <code class="literal">remote_monitoring_user</code> is used when Metricbeat collects and stores
monitoring data for the Elastic Stack. See <a class="xref" href="monitoring-production.html" title="Monitoring in a production environment"><em>Monitoring in a production environment</em></a>.</p>
<p>If you have upgraded from an older version of Elasticsearch, then you may not have set a
password for the <code class="literal">beats_system</code> or <code class="literal">remote_monitoring_user</code> users. If this is
the case, then you should use the <span class="strong strong"><strong>Management &gt; Users</strong></span> page in Kibana or the
<a href="/guide/en/elasticsearch/reference/7.7/security-api-change-password.html" class="ulink" target="_top">Change Password API</a> to set a password
for these users.</p>
<h4>
<a id="add-built-in-user-apm"></a>Adding built-in user passwords to APM<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/authentication/built-in-users.asciidoc">edit</a>
</h4>
<p>The <code class="literal">apm_system</code> user is used internally within APM when monitoring is enabled.</p>
<p>To enable this feature in APM, you need to update the
<a href="/guide/en/apm/server/7.7/configuring-howto-apm-server.html" class="ulink" target="_top">APM configuration file</a> to
reference the correct username and password. For example:</p>
<div class="pre_wrapper lang-yaml">
<pre class="programlisting prettyprint lang-yaml">xpack.monitoring.elasticsearch.username: apm_system
xpack.monitoring.elasticsearch.password: apmserverpassword</pre>
</div>
<p>See <a href="/guide/en/apm/server/7.7/monitoring.html" class="ulink" target="_top">Monitoring APM Server</a>.</p>
<p>If you have upgraded from an older version of Elasticsearch, then you may not have set a
password for the <code class="literal">apm_system</code> user. If this is the case,
then you should use the <span class="strong strong"><strong>Management &gt; Users</strong></span> page in Kibana or the
<a href="/guide/en/elasticsearch/reference/7.7/security-api-change-password.html" class="ulink" target="_top">Change Password API</a> to set a password
for these users.</p>
<h4>
<a id="disabling-default-password"></a>Disabling default password functionality<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/authentication/built-in-users.asciidoc">edit</a>
</h4>
<div class="important admon">
<div class="icon"></div>
<div class="admon_content">
<p>This setting is deprecated. The elastic user no longer has a default password.
The password must be set before the user can be used.
See <a class="xref" href="built-in-users.html#bootstrap-elastic-passwords" title="The Elastic bootstrap password">The Elastic bootstrap password</a>.</p>
</div>
</div>
</div>
<div class="navfooter">
<span class="prev">
<a href="setting-up-authentication.html">« User authentication</a>
</span>
<span class="next">
<a href="internal-users.html">Internal users »</a>
</span>
</div>
</div>

                  <!-- end body -->
                </div>
                <div class="col-xs-12 col-sm-4 col-md-4" id="right_col">
                  <div id="rtpcontainer" style="display: block;">
                    <div class="mktg-promo">
                      <h3>Most Popular</h3>
                      <ul class="icons">
                        <li class="icon-elasticsearch-white"><a href="https://www.elastic.co/webinars/getting-started-elasticsearch?baymax=default&amp;elektra=docs&amp;storm=top-video">Get Started with Elasticsearch: Video</a></li>
                        <li class="icon-kibana-white"><a href="https://www.elastic.co/webinars/getting-started-kibana?baymax=default&amp;elektra=docs&amp;storm=top-video">Intro to Kibana: Video</a></li>
                        <li class="icon-logstash-white"><a href="https://www.elastic.co/webinars/introduction-elk-stack?baymax=default&amp;elektra=docs&amp;storm=top-video">ELK for Logs &amp; Metrics: Video</a></li>
                      </ul>
                    </div>
                  </div>
                </div>
              </div>
            </div>
          </section>

        </div>


<div id="elastic-footer"></div>
<script src="https://www.elastic.co/elastic-footer.js"></script>
<!-- Footer Section end-->

      </section>
    </div>

<script src="/guide/static/jquery.js"></script>
<script type="text/javascript" src="/guide/static/docs.js"></script>
<script type="text/javascript">
  window.initial_state = {}</script>
  </body>
</html>
